KubernetesClusterIssuer
Creates a cert-manager ClusterIssuer for automated ACME TLS certificate issuance via DNS-01 challenges. Each instance manages one ClusterIssuer for one DNS domain.
What Gets Created
- ClusterIssuer -- cert-manager ClusterIssuer CR named after the DNS domain
- Cloudflare Secret (Cloudflare only) -- Kubernetes Secret containing the API token in the cert-manager namespace
Prerequisites
- cert-manager installed on the cluster (via KubernetesCertManager)
- For GCP/AWS/Azure: workload identity configured on the cert-manager ServiceAccount
Quick Start
apiVersion: kubernetes.openmcf.org/v1
kind: KubernetesClusterIssuer
metadata:
name: my-cluster-issuer
spec:
certManagerNamespace:
value: cert-manager
dnsDomain: example.com
acme:
email: admin@example.com
cloudflare:
apiToken: "<your-cloudflare-api-token>"
Stack Outputs
| Output | Description |
|---|---|
cluster_issuer_name | Name of the ClusterIssuer (equals dns_domain) |
acme_account_key_secret_name | ACME account private key Secret name |
Related Components
- KubernetesCertManager -- installs the cert-manager controller
- KubernetesIngressNginx -- ingress controller that uses ClusterIssuers for TLS
Next article
KubernetesIssuer
KubernetesIssuer Creates a namespace-scoped cert-manager Issuer for CA or self-signed certificate signing. Each instance manages one Issuer in one namespace. What Gets Created Issuer -- cert-manager Issuer CR in the specified namespace (CA or SelfSigned mode) Prerequisites cert-manager installed on the cluster (via KubernetesCertManager) Target namespace must already exist For CA mode: a Secret with CA keypair (tls.crt + tls.key) in the same namespace Quick Start Stack Outputs Related...